A high-severity vulnerability in Dolby’s Unified Decoder may very well be exploited for distant code execution, with out person interplay in sure instances.
Constructed on prime of the Dolby Digital Plus (DD+) normal, the Unified Decoder is a software program/{hardware} element used for processing DD+, Dolby AC-4, and different audio codecs, changing them into codecs that may be performed again via audio system.
The decoder, Google Venture Zero’s Ivan Fratric and Natalie Silvanovich found, was impacted by an out-of-bounds write challenge that may very well be triggered in the course of the processing of evolution knowledge.
“The decoder writes evolution data into a big, heap-like contiguous buffer contained by a bigger struct, and the size calculation for one write can overflow attributable to integer wrap,” Silvanovich explains.
This, she notes, leads to the allotted buffer being too small and in an ineffective out-of-bounds examine of the next write.
“This could permit later members of the struct to be overwritten, together with a pointer that’s written to when the following syncframe is processed,” she notes.
Tracked as CVE-2025-54957 (CVSS rating of seven.0), the safety defect might be triggered utilizing malicious audio messages, resulting in distant code execution.
On Android, the vulnerability might be exploited remotely with out person interplay, as a result of all audio messages and attachments are decoded domestically utilizing Dolby’s Unified Decoder, Silvanovich says.Commercial. Scroll to proceed studying.
The safety researcher has printed proof-of-concept (PoC) exploit code demonstrating how the bug might be exploited to set off a course of crash on Android gadgets (Pixel 9 and Samsung S24), in addition to on macOS and iOS.
“We investigated the exploitability of this bug on Android, and have achieved 0-click code execution within the mediacodec context on a Pixel 9 operating model 16 BP2A.250605.031.A2,” Silvanovich notes.
Google Venture Zero reported the safety defect to Dolby Laboratories in June and launched data on it after a 90-day disclosure deadline handed and fixes have been rolled out.
Microsoft resolved the flaw as a part of its October Patch Tuesday updates, noting that person interplay is required for profitable exploitation on Home windows. Final week, Google stated patches have been included within the newest ChromeOS updates.
Associated: ‘Highest Ever’ Severity Rating Assigned by Microsoft to ASP.NET Core Vulnerability
Associated: In Different Information: CrowdStrike Vulnerabilities, CISA Layoffs, Mango Knowledge Breach
Associated: Safety Agency Exposes Position of Beijing Analysis Institute in China’s Cyber Operations
Associated: Watch Now: Why Context is a Secret Weapon in Software Safety Posture Administration
